NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2000-q4

Subject: RE: [suse-security] chroot
From: Dave Woutersen (DWoutersentriple-p.nl)
Date: Wed Dec 06 2000 - 06:42:12 CST

Next message: Dustin Huptas: "[suse-security] a little service question"
Previous message: Thomas Biege: "RE: [suse-security] chroot"
Maybe in reply to: Ralf Koch: "[suse-security] chroot"
Next in thread: Kurt Seifried: "Re: [suse-security] chroot"
Next in thread: Sebastian Krahmer: "Re: [suse-security] chroot"
Maybe reply: Dave Woutersen: "RE: [suse-security] chroot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Also HI!

Is there a "good" doc about creating a chroot jail? I prefer UNIX independent documentation because I work with different UNIX platforms. Mostly SUN by the way.

Thanks,

Dave
>>> Boris Lorenz <bololupa.de> 6-12-00 12:47:42 >>>
Hi,

if a compiler and certain programs are missing in a chroot jail it can be
considered reasonably safe. A possible way for an attacker to break out of such
a jail is to abuse setuid programs such as (older) versions of perl (which is
likely to exist on a webserver for cgi-scripts), or to exploit known
vulnerabilities of other binaries which reside in the chroot'ed area.

There are numerous exploits for other chroot'ed environments for services such
as ftp (see http://www.securityfocus.com/archive/1/12962) but I doubt wether
these can be adjusted to your situation. Anyway, take a close look on what you
put in the chroot area.

There's some paper discussing ways of escaping the chroot jail under
http://www.bpfh.net/simes/computing/chroot-break.html which is quite
informative.

Boris <bololupa.de>

---
On 05-Dec-00 Ralf Koch wrote:
> Hi.
> 
> I've just a short question: Does anybody know how secure it is to
> chroot users in a small piece of my server tree?
> 
> We want users to login via ssh and work on a webserver (test scripts
> etc.). They shouldn't see each other even they shouldn't know if they
> are on a real server or in a virtual space that seems and behave in
> most cases like a server. To point it out: Is there a possibility to
> break up the chrooted environment or is it safe to let them login ?
> 
> Thanks in advance
> 
> *
> * Ihr Formel4-Team
> * mailto:infoformel4.de 
[...]
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com 
For additional commands, e-mail: suse-security-helpsuse.com 
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com

Next message: Dustin Huptas: "[suse-security] a little service question"
Previous message: Thomas Biege: "RE: [suse-security] chroot"
Maybe in reply to: Ralf Koch: "[suse-security] chroot"
Next in thread: Kurt Seifried: "Re: [suse-security] chroot"
Next in thread: Sebastian Krahmer: "Re: [suse-security] chroot"
Maybe reply: Dave Woutersen: "RE: [suse-security] chroot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]